perl: fix for CVE-2010-4777

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777 (From OE-Core rev: 368df9f13ddf124e6aaaec06c02ab698c9e0b6c3) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2014-05-20 09:27:47 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-27 16:11:54 +0100
commit: 284a9b5f6bd35fec5db8854ca1c8af52e02a1542 (patch)
tree: 28376807016a4c00cbfcc4a894d6753f61770e0a
parent: c8645caf56228da1bd4f448dbf90066911a1c59d (diff)
download: poky-284a9b5f6bd35fec5db8854ca1c8af52e02a1542.tar.gz
3 files changed, 49 insertions, 2 deletions
diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
new file mode 100644
index 0000000000..e0dcf412bb
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
+perl:fix for CVE-2010-4777
+Upstream-Status: Backport
+    
+The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
+5.14.0, and other versions, when running with debugging enabled,
+allows context-dependent attackers to cause a denial of service
+(assertion failure and application exit) via crafted input that
+is not properly handled when using certain regular expressions,
+as demonstrated by causing SpamAssassin and OCSInventory to
+crash.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
+ 
+                if (gvp) {
+                    GV * const gv = *gvp;
+-                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
+-                       save_scalar(gv);
+                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
+                       /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
+                       SV ** const sptr = &GvSVn(gv);
+                       SV * osv = *sptr;
+                       SV * nsv = newSV(0);
+                       save_pushptrptr(SvREFCNT_inc_simple(gv),
+                       SvREFCNT_inc(osv), SAVEt_SV);
+                       if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
+                           SvTYPE(osv) != SVt_PVGV) {
+                           if (SvGMAGICAL(osv)) {
+                               const bool oldtainted = PL_tainted;
+                               SvFLAGS(osv) |= (SvFLAGS(osv) &
+                                   (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
+                               PL_tainted = oldtainted;
+                           }
+                           mg_localize(osv, nsv, 1);
+                       }
+                       *sptr = nsv;
+                   }
+                }
+            }
+        }
diff --git a/meta/recipes-devtools/perl/perl-native_5.14.3.bb b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
index 2ef0a5135c..c38be41d49 100644
--- a/meta/recipes-devtools/perl/perl-native_5.14.3.bb
+++ b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
           file://MM_Unix.pm.patch \
           file://debian/errno_ver.diff \
           file://dynaloaderhack.patch \
-           file://perl-build-in-t-dir.patch"
+           file://perl-build-in-t-dir.patch \
+           file://perl-5.14.3-fix-CVE-2010-4777.patch "
 SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
 SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"
diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb
index c307b99fae..fcd665bf34 100644
--- a/meta/recipes-devtools/perl/perl_5.14.3.bb
+++ b/meta/recipes-devtools/perl/perl_5.14.3.bb
@@ -74,7 +74,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
        file://config.sh-32-be \
        file://config.sh-64 \
        file://config.sh-64-le \
-        file://config.sh-64-be"
+        file://config.sh-64-be \
+        file://perl-5.14.3-fix-CVE-2010-4777.patch "
 #       file://debian/fakeroot.diff
 SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
author	yanjun.zhu <yanjun.zhu@windriver.com>	2014-05-20 09:27:47 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-27 16:11:54 +0100
commit	284a9b5f6bd35fec5db8854ca1c8af52e02a1542 (patch)
tree	28376807016a4c00cbfcc4a894d6753f61770e0a
parent	c8645caf56228da1bd4f448dbf90066911a1c59d (diff)
download	poky-284a9b5f6bd35fec5db8854ca1c8af52e02a1542.tar.gz

diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch new file mode 100644 index 0000000000..e0dcf412bb --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
		1	perl:fix for CVE-2010-4777
		2
		3	Upstream-Status: Backport
		4
		5	The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
		6	5.14.0, and other versions, when running with debugging enabled,
		7	allows context-dependent attackers to cause a denial of service
		8	(assertion failure and application exit) via crafted input that
		9	is not properly handled when using certain regular expressions,
		10	as demonstrated by causing SpamAssassin and OCSInventory to
		11	crash.
		12
		13	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
		14
		15	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
		16	--- a/regcomp.c
		17	+++ b/regcomp.c
		18	@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
		19
		20	if (gvp) {
		21	GV * const gv = *gvp;
		22	- if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
		23	- save_scalar(gv);
		24	+ if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
		25	+ /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
		26	+ SV ** const sptr = &GvSVn(gv);
		27	+ SV * osv = *sptr;
		28	+ SV * nsv = newSV(0);
		29	+ save_pushptrptr(SvREFCNT_inc_simple(gv),
		30	+ SvREFCNT_inc(osv), SAVEt_SV);
		31	+ if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
		32	+ SvTYPE(osv) != SVt_PVGV) {
		33	+ if (SvGMAGICAL(osv)) {
		34	+ const bool oldtainted = PL_tainted;
		35	+ SvFLAGS(osv) \|= (SvFLAGS(osv) &
		36	+ (SVp_IOK\|SVp_NOK\|SVp_POK)) >> PRIVSHIFT;
		37	+ PL_tainted = oldtainted;
		38	+ }
		39	+ mg_localize(osv, nsv, 1);
		40	+ }
		41	+ *sptr = nsv;
		42	+ }
		43	}
		44	}
		45	}


diff --git a/meta/recipes-devtools/perl/perl-native_5.14.3.bb b/meta/recipes-devtools/perl/perl-native_5.14.3.bb index 2ef0a5135c..c38be41d49 100644 --- a/meta/recipes-devtools/perl/perl-native_5.14.3.bb +++ b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
17	file://MM_Unix.pm.patch \	17	file://MM_Unix.pm.patch \
18	file://debian/errno_ver.diff \	18	file://debian/errno_ver.diff \
19	file://dynaloaderhack.patch \	19	file://dynaloaderhack.patch \
20	file://perl-build-in-t-dir.patch"	20	file://perl-build-in-t-dir.patch \
		21	file://perl-5.14.3-fix-CVE-2010-4777.patch "
21		22
22	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"	23	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
23	SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"	24	SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"


diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb index c307b99fae..fcd665bf34 100644 --- a/meta/recipes-devtools/perl/perl_5.14.3.bb +++ b/meta/recipes-devtools/perl/perl_5.14.3.bb
@@ -74,7 +74,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
74	file://config.sh-32-be \	74	file://config.sh-32-be \
75	file://config.sh-64 \	75	file://config.sh-64 \
76	file://config.sh-64-le \	76	file://config.sh-64-le \
77	file://config.sh-64-be"	77	file://config.sh-64-be \
		78	file://perl-5.14.3-fix-CVE-2010-4777.patch "
78	# file://debian/fakeroot.diff	79	# file://debian/fakeroot.diff
79		80
80	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"	81	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"